Classification: UNCLASSIFIED ======================================================
Good afternoon, Our team is in the midst of a Nifi upgrade from 1.12.1 to 1.15.3 and we are encountering issues installing our 1.12.1 flow.xml.gz to 1.15.3 via cloud formation template. Our process of starting up Nifi is a bit different than what I've seen online, in that we have the Nifi 1.15.3 tar in S3 along with it's corresponding /conf files and /lib folder holding our custom nar file. The cloud formation script pulls a install script from S3 that pulls and installs Nifi in an EC2 instance. Once installed, we sync the S3 folders holding our /conf and /lib files into the Nifi EC2's conf and lib folder, set ownership to local user nifi, and start Nifi. For the upgrade from 1.12.1 to 1.15.3, we have to account for the encryption update that was introduced in 1.14.0. What we did to mitigate the upgrade was decrypt the sensitive values in the 1.12.1 flow.xml.gz file w/ the old algorithm and key, and encrypt the same sensitive values using the new algorithm and key generated inside the nifi.properties file from a flow-less Nifi 1.15.3. Once we've set the sensitive values to the new algorithm, we place the newly modified flow.xml.gz into a new S3 bucket, copy over the conf files and lib nar into a new 1.15.3 bucket, and stand up a new cloud formation template pointing to the new location of the conf and lib files. While this worked on my local machine and in the dedicated developer test environment, we are having issues trying to apply the same logic in our staging environment. For some reason, we've noticed that when we pull the conf folder containing our new 1.15.3 flow, some or all encrypted sensitive values in flow.xml.gz were different than what we've set it up prior to sending it up to S3, causing a [AES/GES/NoPadding] error right after it starts the flow controller in the nifi-app logs. We also had the approach of using an existing nifi.properties file w/ key, placing it into S3 and running the same encryption steps to set the flow.xml.gz to the current algorithm and while this worked locally, it also failed with the same decryption error. Looking online, the encrypt-config.sh approach did not work despite defining the correct parameters. We plan on utilizing templates tomorrow to see if that approach will work. Any assistance is much appreciated, - Nathan Velasquez ====================================================== Classification: UNCLASSIFIED
